1
0

LDAPProvider.php 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, Roger Szabo (roger.szabo@web.de)
  4. *
  5. * @author Arthur Schiwon <blizzz@arthur-schiwon.de>
  6. * @author Christoph Wurst <christoph@winzerhof-wurst.at>
  7. * @author Robin Appelman <robin@icewind.nl>
  8. * @author Roeland Jago Douma <roeland@famdouma.nl>
  9. * @author Roger Szabo <roger.szabo@web.de>
  10. * @author root <root@localhost.localdomain>
  11. * @author Vinicius Cubas Brand <vinicius@eita.org.br>
  12. *
  13. * @license GNU AGPL version 3 or any later version
  14. *
  15. * This program is free software: you can redistribute it and/or modify
  16. * it under the terms of the GNU Affero General Public License as
  17. * published by the Free Software Foundation, either version 3 of the
  18. * License, or (at your option) any later version.
  19. *
  20. * This program is distributed in the hope that it will be useful,
  21. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  22. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  23. * GNU Affero General Public License for more details.
  24. *
  25. * You should have received a copy of the GNU Affero General Public License
  26. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  27. *
  28. */
  29. namespace OCA\User_LDAP;
  30. use OCA\User_LDAP\User\DeletedUsersIndex;
  31. use OCP\IServerContainer;
  32. use OCP\LDAP\IDeletionFlagSupport;
  33. use OCP\LDAP\ILDAPProvider;
  34. /**
  35. * LDAP provider for pulic access to the LDAP backend.
  36. */
  37. class LDAPProvider implements ILDAPProvider, IDeletionFlagSupport {
  38. private $userBackend;
  39. private $groupBackend;
  40. private $logger;
  41. private $helper;
  42. private $deletedUsersIndex;
  43. /**
  44. * Create new LDAPProvider
  45. * @param \OCP\IServerContainer $serverContainer
  46. * @param Helper $helper
  47. * @param DeletedUsersIndex $deletedUsersIndex
  48. * @throws \Exception if user_ldap app was not enabled
  49. */
  50. public function __construct(IServerContainer $serverContainer, Helper $helper, DeletedUsersIndex $deletedUsersIndex) {
  51. $this->logger = $serverContainer->getLogger();
  52. $this->helper = $helper;
  53. $this->deletedUsersIndex = $deletedUsersIndex;
  54. $userBackendFound = false;
  55. $groupBackendFound = false;
  56. foreach ($serverContainer->getUserManager()->getBackends() as $backend) {
  57. $this->logger->debug('instance '.get_class($backend).' user backend.', ['app' => 'user_ldap']);
  58. if ($backend instanceof IUserLDAP) {
  59. $this->userBackend = $backend;
  60. $userBackendFound = true;
  61. break;
  62. }
  63. }
  64. foreach ($serverContainer->getGroupManager()->getBackends() as $backend) {
  65. $this->logger->debug('instance '.get_class($backend).' group backend.', ['app' => 'user_ldap']);
  66. if ($backend instanceof IGroupLDAP) {
  67. $this->groupBackend = $backend;
  68. $groupBackendFound = true;
  69. break;
  70. }
  71. }
  72. if (!$userBackendFound or !$groupBackendFound) {
  73. throw new \Exception('To use the LDAPProvider, user_ldap app must be enabled');
  74. }
  75. }
  76. /**
  77. * Translate an user id to LDAP DN
  78. * @param string $uid user id
  79. * @return string with the LDAP DN
  80. * @throws \Exception if translation was unsuccessful
  81. */
  82. public function getUserDN($uid) {
  83. if (!$this->userBackend->userExists($uid)) {
  84. throw new \Exception('User id not found in LDAP');
  85. }
  86. $result = $this->userBackend->getLDAPAccess($uid)->username2dn($uid);
  87. if (!$result) {
  88. throw new \Exception('Translation to LDAP DN unsuccessful');
  89. }
  90. return $result;
  91. }
  92. /**
  93. * Translate a group id to LDAP DN.
  94. * @param string $gid group id
  95. * @return string
  96. * @throws \Exception
  97. */
  98. public function getGroupDN($gid) {
  99. if (!$this->groupBackend->groupExists($gid)) {
  100. throw new \Exception('Group id not found in LDAP');
  101. }
  102. $result = $this->groupBackend->getLDAPAccess($gid)->groupname2dn($gid);
  103. if (!$result) {
  104. throw new \Exception('Translation to LDAP DN unsuccessful');
  105. }
  106. return $result;
  107. }
  108. /**
  109. * Translate a LDAP DN to an internal user name. If there is no mapping between
  110. * the DN and the user name, a new one will be created.
  111. * @param string $dn LDAP DN
  112. * @return string with the internal user name
  113. * @throws \Exception if translation was unsuccessful
  114. */
  115. public function getUserName($dn) {
  116. $result = $this->userBackend->dn2UserName($dn);
  117. if (!$result) {
  118. throw new \Exception('Translation to internal user name unsuccessful');
  119. }
  120. return $result;
  121. }
  122. /**
  123. * Convert a stored DN so it can be used as base parameter for LDAP queries.
  124. * @param string $dn the DN in question
  125. * @return string
  126. */
  127. public function DNasBaseParameter($dn) {
  128. return $this->helper->DNasBaseParameter($dn);
  129. }
  130. /**
  131. * Sanitize a DN received from the LDAP server.
  132. * @param array $dn the DN in question
  133. * @return array the sanitized DN
  134. */
  135. public function sanitizeDN($dn) {
  136. return $this->helper->sanitizeDN($dn);
  137. }
  138. /**
  139. * Return a new LDAP connection resource for the specified user.
  140. * The connection must be closed manually.
  141. * @param string $uid user id
  142. * @return resource|\LDAP\Connection The LDAP connection
  143. * @throws \Exception if user id was not found in LDAP
  144. */
  145. public function getLDAPConnection($uid) {
  146. if (!$this->userBackend->userExists($uid)) {
  147. throw new \Exception('User id not found in LDAP');
  148. }
  149. return $this->userBackend->getNewLDAPConnection($uid);
  150. }
  151. /**
  152. * Return a new LDAP connection resource for the specified user.
  153. * The connection must be closed manually.
  154. * @param string $gid group id
  155. * @return resource|\LDAP\Connection The LDAP connection
  156. * @throws \Exception if group id was not found in LDAP
  157. */
  158. public function getGroupLDAPConnection($gid) {
  159. if (!$this->groupBackend->groupExists($gid)) {
  160. throw new \Exception('Group id not found in LDAP');
  161. }
  162. return $this->groupBackend->getNewLDAPConnection($gid);
  163. }
  164. /**
  165. * Get the LDAP base for users.
  166. * @param string $uid user id
  167. * @return string the base for users
  168. * @throws \Exception if user id was not found in LDAP
  169. */
  170. public function getLDAPBaseUsers($uid) {
  171. if (!$this->userBackend->userExists($uid)) {
  172. throw new \Exception('User id not found in LDAP');
  173. }
  174. $access = $this->userBackend->getLDAPAccess($uid);
  175. $bases = $access->getConnection()->ldapBaseUsers;
  176. $dn = $this->getUserDN($uid);
  177. foreach ($bases as $base) {
  178. if ($access->isDNPartOfBase($dn, [$base])) {
  179. return $base;
  180. }
  181. }
  182. // should not occur, because the user does not qualify to use NC in this case
  183. $this->logger->info(
  184. 'No matching user base found for user {dn}, available: {bases}.',
  185. [
  186. 'app' => 'user_ldap',
  187. 'dn' => $dn,
  188. 'bases' => $bases,
  189. ]
  190. );
  191. return array_shift($bases);
  192. }
  193. /**
  194. * Get the LDAP base for groups.
  195. * @param string $uid user id
  196. * @return string the base for groups
  197. * @throws \Exception if user id was not found in LDAP
  198. */
  199. public function getLDAPBaseGroups($uid) {
  200. if (!$this->userBackend->userExists($uid)) {
  201. throw new \Exception('User id not found in LDAP');
  202. }
  203. $bases = $this->userBackend->getLDAPAccess($uid)->getConnection()->ldapBaseGroups;
  204. return array_shift($bases);
  205. }
  206. /**
  207. * Clear the cache if a cache is used, otherwise do nothing.
  208. * @param string $uid user id
  209. * @throws \Exception if user id was not found in LDAP
  210. */
  211. public function clearCache($uid) {
  212. if (!$this->userBackend->userExists($uid)) {
  213. throw new \Exception('User id not found in LDAP');
  214. }
  215. $this->userBackend->getLDAPAccess($uid)->getConnection()->clearCache();
  216. }
  217. /**
  218. * Clear the cache if a cache is used, otherwise do nothing.
  219. * Acts on the LDAP connection of a group
  220. * @param string $gid group id
  221. * @throws \Exception if user id was not found in LDAP
  222. */
  223. public function clearGroupCache($gid) {
  224. if (!$this->groupBackend->groupExists($gid)) {
  225. throw new \Exception('Group id not found in LDAP');
  226. }
  227. $this->groupBackend->getLDAPAccess($gid)->getConnection()->clearCache();
  228. }
  229. /**
  230. * Check whether a LDAP DN exists
  231. * @param string $dn LDAP DN
  232. * @return bool whether the DN exists
  233. */
  234. public function dnExists($dn) {
  235. $result = $this->userBackend->dn2UserName($dn);
  236. return !$result ? false : true;
  237. }
  238. /**
  239. * Flag record for deletion.
  240. * @param string $uid user id
  241. */
  242. public function flagRecord($uid) {
  243. $this->deletedUsersIndex->markUser($uid);
  244. }
  245. /**
  246. * Unflag record for deletion.
  247. * @param string $uid user id
  248. */
  249. public function unflagRecord($uid) {
  250. //do nothing
  251. }
  252. /**
  253. * Get the LDAP attribute name for the user's display name
  254. * @param string $uid user id
  255. * @return string the display name field
  256. * @throws \Exception if user id was not found in LDAP
  257. */
  258. public function getLDAPDisplayNameField($uid) {
  259. if (!$this->userBackend->userExists($uid)) {
  260. throw new \Exception('User id not found in LDAP');
  261. }
  262. return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_display_name'];
  263. }
  264. /**
  265. * Get the LDAP attribute name for the email
  266. * @param string $uid user id
  267. * @return string the email field
  268. * @throws \Exception if user id was not found in LDAP
  269. */
  270. public function getLDAPEmailField($uid) {
  271. if (!$this->userBackend->userExists($uid)) {
  272. throw new \Exception('User id not found in LDAP');
  273. }
  274. return $this->userBackend->getLDAPAccess($uid)->getConnection()->getConfiguration()['ldap_email_attr'];
  275. }
  276. /**
  277. * Get the LDAP type of association between users and groups
  278. * @param string $gid group id
  279. * @return string the configuration, one of: 'memberUid', 'uniqueMember', 'member', 'gidNumber', ''
  280. * @throws \Exception if group id was not found in LDAP
  281. */
  282. public function getLDAPGroupMemberAssoc($gid) {
  283. if (!$this->groupBackend->groupExists($gid)) {
  284. throw new \Exception('Group id not found in LDAP');
  285. }
  286. return $this->groupBackend->getLDAPAccess($gid)->getConnection()->getConfiguration()['ldap_group_member_assoc_attribute'];
  287. }
  288. /**
  289. * Get an LDAP attribute for a nextcloud user
  290. *
  291. * @throws \Exception if user id was not found in LDAP
  292. */
  293. public function getUserAttribute(string $uid, string $attribute): ?string {
  294. $values = $this->getMultiValueUserAttribute($uid, $attribute);
  295. if (count($values) === 0) {
  296. return null;
  297. }
  298. return current($values);
  299. }
  300. /**
  301. * Get a multi-value LDAP attribute for a nextcloud user
  302. *
  303. * @throws \Exception if user id was not found in LDAP
  304. */
  305. public function getMultiValueUserAttribute(string $uid, string $attribute): array {
  306. if (!$this->userBackend->userExists($uid)) {
  307. throw new \Exception('User id not found in LDAP');
  308. }
  309. $access = $this->userBackend->getLDAPAccess($uid);
  310. $connection = $access->getConnection();
  311. $key = $uid . '-' . $attribute;
  312. $cached = $connection->getFromCache($key);
  313. if (is_array($cached)) {
  314. return $cached;
  315. }
  316. $values = $access->readAttribute($access->username2dn($uid), $attribute);
  317. if ($values === false) {
  318. $values = [];
  319. }
  320. $connection->writeToCache($key, $values);
  321. return $values;
  322. }
  323. }